Event ID 540 – Successful Network Logon
|Description||Successful network logon|
When a user logs in remotely via the network and connects to a resource (ex: file share) provided by the server service of the monitoring computer, event 540 is generated. The logon can be of any type.
This log data provides the following information:
- User Name
- Logon Type
- Logon Process
- Authentication Package
- Workstation Name
In Windows 2000 and XP, the following information is not made available:
- Caller User Name
- Caller Domain
- Caller Logon ID
- Caller Process ID
- Transited Services
- Source Network Address
- Source Port
Additionally, in Windows 2000, Logon GUID is also not provided in the logs.
Why does event ID 540 need to be monitored?
- To detect brute-force, dictionary, and other password guess attacks
- To detect abnormal and possibly malicious internal activity
- To come up with a benchmark for the account lockout threshold policy
- To ensure compliance with regulatory mandates
With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks all logon types, helping you meet your security, operational, and compliance needs with absolute ease.
Event 540 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4624.